Analysis
-
max time kernel
104s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 11:19
Static task
static1
Behavioral task
behavioral1
Sample
LUSA TEX ORDER 07282020 .exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
LUSA TEX ORDER 07282020 .exe
Resource
win10v2004-20220414-en
General
-
Target
LUSA TEX ORDER 07282020 .exe
-
Size
1.3MB
-
MD5
cbd2e0a042f3734b1b72543b3a55bd99
-
SHA1
e6b6ffe43795d6a4c6b3c60e1dbfe6b2d29333c6
-
SHA256
044c48fe42178958d8f55e5404e056ff0f1071d865deda9cc42518ab2c87fda7
-
SHA512
17a7f971ec908a19d0a0c8b9611caf7b0b3148a84723b3cf4d25d0a65b1a45341998a51286ad1dee31c9183010171311d4dd8c53ec603bfba61e37caedd8d10c
Malware Config
Extracted
C:\Users\Admin\AppData\Local\0F48153F20\Log.txt
masslogger
Extracted
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
wintom@wls-com.me - Password:
MORELOVE123
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
LUSA TEX ORDER 07282020 .exeLUSA TEX ORDER 07282020 .exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation LUSA TEX ORDER 07282020 .exe Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation LUSA TEX ORDER 07282020 .exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs
Processes:
LUSA TEX ORDER 07282020 .exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LUSA TEX ORDER 07282020 .exe Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LUSA TEX ORDER 07282020 .exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook LUSA TEX ORDER 07282020 .exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LUSA TEX ORDER 07282020 .exe Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LUSA TEX ORDER 07282020 .exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LUSA TEX ORDER 07282020 .exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LUSA TEX ORDER 07282020 .exe Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook LUSA TEX ORDER 07282020 .exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LUSA TEX ORDER 07282020 .exe Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook LUSA TEX ORDER 07282020 .exe Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LUSA TEX ORDER 07282020 .exe Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook LUSA TEX ORDER 07282020 .exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LUSA TEX ORDER 07282020 .exe Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook LUSA TEX ORDER 07282020 .exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LUSA TEX ORDER 07282020 .exe Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook LUSA TEX ORDER 07282020 .exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LUSA TEX ORDER 07282020 .exe Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LUSA TEX ORDER 07282020 .exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LUSA TEX ORDER 07282020 .exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook LUSA TEX ORDER 07282020 .exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LUSA TEX ORDER 07282020 .exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook LUSA TEX ORDER 07282020 .exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook LUSA TEX ORDER 07282020 .exe Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook LUSA TEX ORDER 07282020 .exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LUSA TEX ORDER 07282020 .exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LUSA TEX ORDER 07282020 .exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LUSA TEX ORDER 07282020 .exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LUSA TEX ORDER 07282020 .exe Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LUSA TEX ORDER 07282020 .exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LUSA TEX ORDER 07282020 .exe Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LUSA TEX ORDER 07282020 .exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook LUSA TEX ORDER 07282020 .exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LUSA TEX ORDER 07282020 .exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LUSA TEX ORDER 07282020 .exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook LUSA TEX ORDER 07282020 .exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook LUSA TEX ORDER 07282020 .exe Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook LUSA TEX ORDER 07282020 .exe Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LUSA TEX ORDER 07282020 .exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LUSA TEX ORDER 07282020 .exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LUSA TEX ORDER 07282020 .exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LUSA TEX ORDER 07282020 .exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LUSA TEX ORDER 07282020 .exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 41 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
LUSA TEX ORDER 07282020 .exedescription pid process target process PID 4120 set thread context of 64 4120 LUSA TEX ORDER 07282020 .exe LUSA TEX ORDER 07282020 .exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
LUSA TEX ORDER 07282020 .exepid process 64 LUSA TEX ORDER 07282020 .exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
LUSA TEX ORDER 07282020 .exeLUSA TEX ORDER 07282020 .exepid process 4120 LUSA TEX ORDER 07282020 .exe 4120 LUSA TEX ORDER 07282020 .exe 4120 LUSA TEX ORDER 07282020 .exe 64 LUSA TEX ORDER 07282020 .exe 64 LUSA TEX ORDER 07282020 .exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
LUSA TEX ORDER 07282020 .exeLUSA TEX ORDER 07282020 .exedescription pid process Token: SeDebugPrivilege 4120 LUSA TEX ORDER 07282020 .exe Token: SeDebugPrivilege 64 LUSA TEX ORDER 07282020 .exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LUSA TEX ORDER 07282020 .exepid process 64 LUSA TEX ORDER 07282020 .exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
LUSA TEX ORDER 07282020 .exedescription pid process target process PID 4120 wrote to memory of 4808 4120 LUSA TEX ORDER 07282020 .exe schtasks.exe PID 4120 wrote to memory of 4808 4120 LUSA TEX ORDER 07282020 .exe schtasks.exe PID 4120 wrote to memory of 4808 4120 LUSA TEX ORDER 07282020 .exe schtasks.exe PID 4120 wrote to memory of 64 4120 LUSA TEX ORDER 07282020 .exe LUSA TEX ORDER 07282020 .exe PID 4120 wrote to memory of 64 4120 LUSA TEX ORDER 07282020 .exe LUSA TEX ORDER 07282020 .exe PID 4120 wrote to memory of 64 4120 LUSA TEX ORDER 07282020 .exe LUSA TEX ORDER 07282020 .exe PID 4120 wrote to memory of 64 4120 LUSA TEX ORDER 07282020 .exe LUSA TEX ORDER 07282020 .exe PID 4120 wrote to memory of 64 4120 LUSA TEX ORDER 07282020 .exe LUSA TEX ORDER 07282020 .exe PID 4120 wrote to memory of 64 4120 LUSA TEX ORDER 07282020 .exe LUSA TEX ORDER 07282020 .exe PID 4120 wrote to memory of 64 4120 LUSA TEX ORDER 07282020 .exe LUSA TEX ORDER 07282020 .exe PID 4120 wrote to memory of 64 4120 LUSA TEX ORDER 07282020 .exe LUSA TEX ORDER 07282020 .exe -
outlook_office_path 1 IoCs
Processes:
LUSA TEX ORDER 07282020 .exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LUSA TEX ORDER 07282020 .exe -
outlook_win_path 1 IoCs
Processes:
LUSA TEX ORDER 07282020 .exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 LUSA TEX ORDER 07282020 .exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe"C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD0BD.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe"{path}"2⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LUSA TEX ORDER 07282020 .exe.logFilesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
C:\Users\Admin\AppData\Local\Temp\tmpD0BD.tmpFilesize
1KB
MD5ab9f8a9574d9209cd8666decb37e33cc
SHA1b768b98d37b96bcf5eeeb4bae10589a196b66db2
SHA2562c052172f943620c36053efd2ab1d6ef9fbb671c55669b9f49430f0f7acd7704
SHA5125059538580cce17a2c7516e3117297310455e38ff32d51c6e17ef188448ce3567f9c968ad478df725ed2ce8630ceee2340246264a6e60877895591a67d45da70
-
memory/64-137-0x0000000000000000-mapping.dmp
-
memory/64-138-0x0000000000400000-0x00000000004B8000-memory.dmpFilesize
736KB
-
memory/64-140-0x0000000005A50000-0x0000000005AB6000-memory.dmpFilesize
408KB
-
memory/64-141-0x0000000008380000-0x00000000083D0000-memory.dmpFilesize
320KB
-
memory/4120-130-0x0000000000760000-0x00000000008B6000-memory.dmpFilesize
1.3MB
-
memory/4120-131-0x0000000005810000-0x0000000005DB4000-memory.dmpFilesize
5.6MB
-
memory/4120-132-0x0000000005260000-0x00000000052F2000-memory.dmpFilesize
584KB
-
memory/4120-133-0x0000000005410000-0x000000000541A000-memory.dmpFilesize
40KB
-
memory/4120-134-0x0000000008C70000-0x0000000008D0C000-memory.dmpFilesize
624KB
-
memory/4808-135-0x0000000000000000-mapping.dmp